Hi guys,
Here are the details of the issue that I am facing:
[GOAL]: Use OutSystems platform as a OAuth2 provider for issuing ID tokens with verified signatures (using the https://jwt.io/ website to validate them).
[CONTEXT]: I am trying create JWTs in the JWT Forge Component using the JSON Web Key option to sign them. The documentation suggests using https://mkjwk.org/ to generate JWKs. By using this online generator things works fine (I mean, I can create JWTs and their signatures are successfully verified in https://jwt.io/). But I cannot trust this website for security reasons.
[PROBLEM]: How to create JWKs that provide valid signatures for JWTs using custom code?
[OTHER REMARKS]: In the meantime, I have build a .NET C# code that generate JWTs and validate their signature successfully using a method from JwtSecurityTokenHandler system class, but the signature verification of those JWTs failed in https://jwt.io/
Hi Valter,
Afaik JWK is just a way to specify public keys. So you're not looking at creating JWKs but you need a public (and accompanying private) key. So it seems to me (but I'm far from a cryptographic expert) you can use any key generator you like, like ssh-keygen, or take one from a certificate you own (the latter option is used by us in our own JWT implementation, but we don't use JWK as we have shared certifcates).
Exactly, JWKs is a neat way to represent keys, just it. Is supported because many providers export the keys in that format. mkjwk.org is a nice way to get some keys for testing.
First of all, thank you guys for your prompt responses. I am sorry for not using properly the technical terms (I am new to the cryptography world). My actual question is more related on how to create the private/ public key pair... @Kilian Hekhuis I'll be googling ssh-keygen and get back to you to raise any eventual doubts or mark this question as solved.
In the meantime, João Almeida I got some keys from the online generator you mentioned and things worked fine, but like I said I cannot used in a real project for security reasons.
Indeed. Generating keys on a prod environment should always be done using ssh-keygen or similar in a controlled environment. Converting keys from PEM format ("----BEGIN KEY etc") to JWK requires some tooling or programming, because the values in the JWK string consist in the different cryptographic coefficients in the key, which can't be extracted directly from the key in PEM format. Using a small console app for that is one option, there might be a way to convert or export to JWK using the OpenSSH toolset, but I don't know it right now.For extra testing, here's a tool to convert from PEM to JWK:https://tribestream.io/tools/pem2jwk/